Android security: Coin miners show up in apps and sites to wear out your CPU

Expect to see more miners silently chewing up CPU resources through your browser.
Written by Liam Tung, Contributing Writer on

Video: Here's everything you need to know about Bitcoin cash

Security researchers are concerned about the rise of cryptocurrency miners that are being embedded into websites and apps to use a device's resources without gaining permission.

Security firm Trend Micro discovered three Android apps on Google Play with two different miners.

Two of the apps, Recitiamo Santo Rosario Free and SafetyNet Wireless App, use the popular Coinhive JavaScript in-browser Monero miner, while a third app, called Car Wallpaper HD: mercedes, ferrari, bow and audi, includes a malicious version of the legitimate cpuminer library.

Google removed the apps after being alerted to their hidden mining capabilities.

The JavaScript miner runs inside the app's built-in browser but it gives no indication to the user that the miner is running. Trend Micro notes that the phone's CPU usage will be "exceptionally high" when the JavaScript code is running.

Trend Micro researchers say while using mobile devices probably returns insignificant earnings for the attackers, the malware still degrades the device's performance, causes wear and tear, and reduces its battery life.

Coinhive offers its mining service as an alternative to monetizing a website through ads. However, Trend Micro, Malwarebytes, Sucuri, and other security firms have found a recent surge in attackers adding Coinhive miner to compromise websites to borrow CPU power from PCs. Some sites were also keeping ads while silently running the miner rather than replacing ads.

It's the same miner that was founded embedded on The Pirate Bay, but the piracy site's developers were intentionally testing whether mining Monero could replace ads, which are often blocked by ad-blockers.

The key problem, and reason Malwarebytes recently decided to block script running from Coinhive.com, was that Coinhive allowed site owners to use it without first asking the visitor's permission.

The site owner can also configure the JavaScript miner to use only a certain amount of each visitor's system. The Pirate Bay, for example, said it mistakenly set the miner to use 100 percent of a visitor's CPU, but corrected the issue to only consume 20 to 30 percent and restricted the activity to one tab.

As Sucuri notes, Coinhive responded to the antivirus blocks by releasing a new version of the miner that runs scripts from the domain AuthedMine.com, which only allows a site to use a visitor's CPU after the user opts in. The site shows an example of what the opt-in UI looks like.

However, Coinhive still supports the older version with no opt-in user interface. And as BleepingComputer noted recently, there are now several Coinhive clones, including WordPress 'Coin Hive' plugins, and none of them asks for permission.


Two of the apps that Trend Micro has discovered use the popular Coinhive JavaScript in-browser Monero miner.

Image: Trend Micro/Google

Previous and related coverage

IT leader's guide to the blockchain [Tech Pro Research]

The blockchain may hold significant opportunities for the enterprise, from financial services to IP protection to job documentation. This ebook looks at what the blockchain is and how it could affect your business.

Executive's guide to implementing blockchain technology

The technology behind bitcoin is one of the internet's most promising new developments. Here's how businesses can use it to streamline operations and create new opportunities.

How much does The Pirate Bay's cryptocurrency miner make?

If adverts turn off visitors, the torrent search engine is hoping CPU borrowing can make up the revenue.

Read more about cryptocurrency

Editorial standards


Watch out for this triple-pronged PayPal phishing and fraud scam

Watch out for this triple-pronged PayPal phishing and fraud scam

We will see a completely new type of computer, says AI pioneer Geoff Hinton

We will see a completely new type of computer, says AI pioneer Geoff Hinton

Garmin's new Index BPM is the blood pressure monitor that I've been waiting for

Garmin's new Index BPM is the blood pressure monitor that I've been waiting for